Contents

Incentive

This is a collection of tips if you want to set up a demo site, i.e. a Geeklog site where users can log in with admin privileges so that they can have a look "behind the scenes" without having to install Geeklog themselves first.

The Problem

All of the "risky" options on a Geeklog site require admin access. On a demo site, however, you give admin access to any random visitor. So it's important to identify and disable those admin options that can either bring down the demo site or even allow an attacker to upload and run malicious code on the site.

These issues are specific to running a demo site. On a standard Geeklog install, you would only give admin privileges to people you trust.

PHP in Static Pages

You can embed PHP code in Static Pages. By default, that feature is disabled in a standard install, but can easily be enabled if you have admin privileges.

To disable this option entirely on a demo site setup, add the following line to your site's siteconfig.php file:

$_SP_DEFAULT['allow_php'] = 0;

Plugin Uploads

Geeklog 1.6 introduced an option to upload plugins directly from within Geeklog. This option requires write access to certain directories and is therefore a potential security issue on a demo site.

To disable this option, make sure the plugins directories are not writeable for the webserver, i.e.

OAuth Login

The OAuth Login options (introduced in Geeklog 1.8.0) should not be used on a demo site. They require you to enter the keys for the respective service (Facebook, Twitter, or LinkedIn) in the Configuration, where any random visitor could see them.

3rd Party Plugins

Carefully consider any additional plugins you install on the demo site and review their features for potential abuse. Plugins that allow any form of upload may create issues. At the very least, you may need to remove uploaded files during a regular reset of the site.

Other Considerations

If you open up a site like in a demo setup, people will try all sorts of things. This will most likely include vandalism, spam, changing passwords, and trying to exploit features. Here are some things to consider for a demo setup:

Reset the Site regularly

Set up a cronjob to automatically reset the site every hour or at least once a day. Things you should reset: